700,000 CA social services records lost—on microfiche

Private data belonging to 700,000 caregivers and recipients was lost or stolen.

The California office of In-Home Supportive Services, which provides health support to elderly and disabled people, reported on Friday that the personal records of some 700,000 caregivers and care recipients were either lost or stolen.

But this data loss was not due to a server breach, or some complex phishing attack—instead, the Social Services office said that Hewlett Packard, which manages the data controlled by the office, notified the IHSS of the breach after a physical package containing microfiche with thousands of entries of payroll data went missing from a damaged package shipped by U.S. Postal Service to the State Compensation Insurance Fund in Riverside, CA.

As the package arrived damaged and incomplete, it’s unclear whether the information was lost or stolen, but the state has launched an internal investigation and notified law enforcement in the hopes of resolving the issue, according to the Los Angeles Times. "The possibly compromised information, dating from October to December 2011, for 375,000 workers included names, Social Security numbers and wages. For 326,000 recipients, state identification numbers may be at risk,” the LA Times reports. The In-Home Supportive Services office is also sending out hundreds of thousands of letters to potentially affected parties.

This is the most recent in a series of high-profile data breaches that have involved state-gathered information this year. In April, hackers stole the records belonging to 181,000 recipients of Utah state health benefits, and in March, IBM lost four cartridges containing the records of 800,000 adults and children covered under the Department of Child Support Services.

Sending something that important using anything other than Registered mail was a huge blunder.

At this point, I would think that it'd be almost negligent to send something with that much personal data any way short of personal courier or paying the mileage for one of your employees to deliver it by hand.

It's interesting that these kinds of physical backup (I presume that's what the microfishe was for) are still used. I don't know too much about long term data storage, but I wonder if this kind of information is not able to be redundantly stored in a more modern way.

It's interesting that these kinds of physical backup (I presume that's what the microfishe was for) are still used. I don't know too much about long term data storage, but I wonder if this kind of information is not able to be redundantly stored in a more modern way.

Microfiche is more stable than "modern" backups like spinning disks, optical disks, flash memory, even tape. Kept properly, microfilm in various formats can live on a shelf for centuries and still be usable. Even if there were no legacy systems or regulations to consider, that has tremendous benefits.

And don't forget Microfiche and microfilm are not reliant on maintaining obsolete drives and software in order to read out the data. Basically all you need is a microscope/magnification system, and the data is accessible. Try doing that with a old tape drive. Some large organizations need that kind of futureproofing.

Sending something that important using anything other than Registered mail was a huge blunder.

At this point, I would think that it'd be almost negligent to send something with that much personal data any way short of personal courier or paying the mileage for one of your employees to deliver it by hand.

Righto. Especially since HP has a history of losing sensitive data. They just don't seem to give a damn.

What was a .com doing with raw US government data?If a US government department needs help, let the security cleared consultants come to the building, get the data in digital form and then work on it as needed....If digital data is on the move, encrypt it and use a secure courier.People trust much wealth via courier services, but its at a personal level.U.S. infrastructure really seems to be crumbling at a state and federal level outside over funded .mil projects.

Having personally seen things from the other side (worked for UPS, not quite USPS), when it comes to shipping, you get what you pay for. I'd be curious to hear if HP had paid for the cheapest shipping available or had used insured/express mail or whatever business options might have been available to them.

Having personally seen things from the other side (worked for UPS, not quite USPS), when it comes to shipping, you get what you pay for. I'd be curious to hear if HP had paid for the cheapest shipping available or had used insured/express mail or whatever business options might have been available to them.

What do you mean "you get what you pay for"? Is there a shipping option that says "most of your stuff will get there"? Or "delivery on a best effort basis"?

Having personally seen things from the other side (worked for UPS, not quite USPS), when it comes to shipping, you get what you pay for. I'd be curious to hear if HP had paid for the cheapest shipping available or had used insured/express mail or whatever business options might have been available to them.

What do you mean "you get what you pay for"? Is there a shipping option that says "most of your stuff will get there"? Or "delivery on a best effort basis"?

Unfortunately, it's true to some degree. Although I'm thinking more of goods from Amazon and the like, I notice cheap shipping at the lowest rate cost a lot of time on my end(the receiver) if anything. If HP did use super cheapo shipping, USPS doesn't give a care and hold packages for over a week sometimes. And someone probably did rifle through the info or threw it around so it got opened up and damaged in bulk. It's indeed HP's fault for not using better delivery options. How about insured and registered First Class for one, with such sensitive info?!!

Having personally seen things from the other side (worked for UPS, not quite USPS), when it comes to shipping, you get what you pay for. I'd be curious to hear if HP had paid for the cheapest shipping available or had used insured/express mail or whatever business options might have been available to them.

What do you mean "you get what you pay for"? Is there a shipping option that says "most of your stuff will get there"? Or "delivery on a best effort basis"?

Unfortunately, it's true to some degree. Although I'm thinking more of goods from Amazon and the like, I notice cheap shipping at the lowest rate cost a lot of time on my end(the receiver) if anything. If HP did use super cheapo shipping, USPS doesn't give a care and hold packages for over a week sometimes. And someone probably did rifle through the info or threw it around so it got opened up and damaged in bulk. It's indeed HP's fault for not using better delivery options. How about insured and registered First Class for one, with such sensitive info?!!

Right, they should use a better delivery option.

Also, if what you say is true, the USPS needs to fix their shit. That's totally unacceptable.

Again, misleading title. HP had little to do with the 'damage' to the package containing the microfiche. It was the USPS that technically lost this information.

I wonder if that was the only copy of this data? If so, then why are they shipping it to/from wherever?

I don't think it's misleading at all. HP was responsible for the data, sending it through USPS was taking a chance with a lot of sensitive information.

I have to disagree. This is entirely the post office's fault, not HP's. There shouldn't be a concern that the USPS will lose it... You can mail some levels of classified information through the post office. If I can mail information that "will cause harm to the US" if it is lost through the post office, why should I have concerns about this type of data?

Again, misleading title. HP had little to do with the 'damage' to the package containing the microfiche. It was the USPS that technically lost this information.

I wonder if that was the only copy of this data? If so, then why are they shipping it to/from wherever?

I don't think it's misleading at all. HP was responsible for the data, sending it through USPS was taking a chance with a lot of sensitive information.

I have to disagree. This is entirely the post office's fault, not HP's. There shouldn't be a concern that the USPS will lose it... You can mail some levels of classified information through the post office. If I can mail information that "will cause harm to the US" if it is lost through the post office, why should I have concerns about this type of data?

If you have something important like this to send, you don't send by regular mail, PERIOD! I'm sure people do it all the time and hope for the best, but with this type of info you simply DO NOT take these chances. Now if they did send by Express Mail with tracking and insurance, then I'll change my opinion and post the blame solely on USPS. But I'm tending to think they did use just regular post.

Am I the only one here who didn't know what microfiche was before reading this article? I've literally never heard of the concept of storing data in miniturized form on film until today.

Honest question: how old are you? Before the internet was big and people actually went to the library for obscure information, microfiche was the only way to keep data in bulk. I remember using it to read old newspapers for some high school project back in the mid-90s.

I have to disagree. This is entirely the post office's fault, not HP's. There shouldn't be a concern that the USPS will lose it... You can mail some levels of classified information through the post office. If I can mail information that "will cause harm to the US" if it is lost through the post office, why should I have concerns about this type of data?

If you have something important like this to send, you don't send by regular mail, PERIOD! I'm sure people do it all the time and hope for the best, but with this type of info you simply DO NOT take these chances. Now if they did send by Express Mail with tracking and insurance, then I'll change my opinion and post the blame solely on USPS. But I'm tending to think they did use just regular post.

True. Though, the article says that the package did arrive (damaged and incomplete), so I'm not sure what adding tracking and insurance would really have done. It sounds like the package wasn't lost; instead, someone (purposely or accidentally) took/lost some of the package contents while it was in the hands of the USPS.

Again, misleading title. HP had little to do with the 'damage' to the package containing the microfiche. It was the USPS that technically lost this information.

I wonder if that was the only copy of this data? If so, then why are they shipping it to/from wherever?

I don't think it's misleading at all. HP was responsible for the data, sending it through USPS was taking a chance with a lot of sensitive information.

I have to disagree. This is entirely the post office's fault, not HP's. There shouldn't be a concern that the USPS will lose it... You can mail some levels of classified information through the post office. If I can mail information that "will cause harm to the US" if it is lost through the post office, why should I have concerns about this type of data?

If you have something important like this to send, you don't send by regular mail, PERIOD! I'm sure people do it all the time and hope for the best, but with this type of info you simply DO NOT take these chances. Now if they did send by Express Mail with tracking and insurance, then I'll change my opinion and post the blame solely on USPS. But I'm tending to think they did use just regular post.

USPS is not responsible for the losses. Even if insured, they are only responsible for the value you indicated. If the value was >$1e6 the cost to ship would have been >$1e4. (personal information at this level has no real definable value) I doubt they would have paid that.

I had worked on insurance calculations and the assumption was that 1/1000 to 1/10000 packages either do not make it or are damaged on route. This is pretty common knowledge to anyone in the field. If they didn't want to take the risk, they would not have sent it this way.

Sending something that important using anything other than Registered mail was a huge blunder.

How does registered mail keep any delivery service from losing your package? Thinking through the logic, it only guarantees somebody signs for it if they don't lose it.

You're confusing "Registered Mail" with "Signature Confirmation." With Registered Mail, there is a record made at the USPS everytime the package the passed from one handler to another. It should be easy with RM to go through the chain of custody and figure out the first person who saw the damaged package.

What was a .com doing with raw US government data?If a US government department needs help, let the security cleared consultants come to the building, get the data in digital form and then work on it as needed....If digital data is on the move, encrypt it and use a secure courier.People trust much wealth via courier services, but its at a personal level.U.S. infrastructure really seems to be crumbling at a state and federal level outside over funded .mil projects.

HP is a large organization, including having bought out EDS who was in the business of providing to the Gov computer, server, and data backup services.

HP has been more than cheap printers and iffy PCs/Laptops for many years now

And this is completely the USPS's fault, even it it was shipped Priority Overnight, they will still not guarantee anything other than the box getting there, not necessarily the contents, hence why the USPS is going belly up, they make FedEx look good

I've worked at FedEx and chances are the package got smashed open by the conveyor belts, the microfiche fell out and is laying outside a dock door somewhere. The package handlers drenched in sweat getting payed $10/hr don't care enough to handle these packages carefully... and it's very unlikely that these workers were opportunistic enough to notice what it was (100% certain the package didn't have a "SENSITIVE INFORMATION, DON'T LOOK HERE" sticker) and take advantage of it. If anything, the microfiche is laying on the floor somewhere with footprints on it.

And lol @ the people blaming USPS, I can tell you first hand that the people loading these trucks aren't going to treat every package like it's important. Half the time we don't even retape the packages that do break open because we're getting slammed by the conveyor belts and don't have the time. Remember this: you get what you pay for... don't expect first class service when you're paying bare-bottom prices. HP tried to save a few bucks and now have PR issues to deal with -- and they only have themselves to blame for it.

HP may not have been the ones to pick the shipper. Many government contracts are written such that the lowers cost option must be chosen, or in such a way that USPS is the only option (delivery to p.o. box and such)

I would also like to add that most places like FedEx, USPS, UPS treat their workers like criminals every day and have us go through metal detectors that go off every time (thanks to steel-toed boots they require us to wear) and get patted down by old creepy security guards... it isn't as easy as you think to sneak something out of one of these places.

There are plenty of secure document transport companies in California, this is just a case of HP being cheap. Those state employees should be grateful they don't work for a major financial institution as this is their first possible breach. When I was working at Fidelity they "lost" my information 5 times within 3 years, it was so bad I had overlapping free credit monitoring services.

Again, misleading title. HP had little to do with the 'damage' to the package containing the microfiche. It was the USPS that technically lost this information.

I wonder if that was the only copy of this data? If so, then why are they shipping it to/from wherever?

I don't think it's misleading at all. HP was responsible for the data, sending it through USPS was taking a chance with a lot of sensitive information.

Hmmm....Think anyone in the government is going to say to HP: "Why did you send it through the USPS when you *knew* it wouldn't arrive intact?" It's ridiculous to actually blame HP for mailing a package it had every right to believe would arrive intact at its destination. It was clearly the USPS that damaged the package--not HP--whose only crime seems to have been, in your estimation, that they used the Post Office. It's probably a routine followed dozens if not hundreds of times in the past with no difficulties. Nobody is going to blame HP for this.

Younger people have this odd notion (I did, too) that if things aren't perfect then they *should be* and if they aren't then it is "somebody's fault." Playing the blame game helps them preserve the illusion of perfectibility. When you age a bit you understand what a crock that is...

Like others, I don't see how this is HP's fault. People assume that some HP mailing clerk walked into the USPS, picked the cheapest option available, and handed the postal service counter dude a wad of cash to pay the shipping charge.

They stuck it in a padded envelope, sent it down to the mail room at HP's corporate HQ, the mail room clerk stuck a POSTAGE PREPAID sticker on it, probably because they didn't know what it was, or how valuable it was, and when the USPS truck came, they handed it off, and that was the end of it.

HP's negligence came from not picking a UPS/FEDEX shipping, or a courier service, and this article makes the whole thing out to be a whole lot more sinister than it actually is. I will bet money that nothing was stolen. In all reality, the package broke open at a sorting center along the way, and there was no shipping manifest to say that there are X number of microfilm canisters, and so they just taped it up, assumed all was well, and moved on. There's probably a roll of microfilm collecting dust at some USPS facility, on the floor, under a conveyor belt somewhere. Or it got swept up and thrown in the trash. It's a big deal, but it's incredibly unlikely that anyone knew what they were looking at when they inspected the package, or even cared.

I have had to ship some quite expensive and fragile items in my day, and have had plenty of logistics experience, as well as dealing with staff from UPS, FedEx, and USPS. From what it sounds like, the items may not have packed properly to begin with. Regardless of which organization is doing the shipping, it can be expected to be handled roughly at some point (just like check baggage in airline travel). Pack accordingly, or hand deliver...

Again, misleading title. HP had little to do with the 'damage' to the package containing the microfiche. It was the USPS that technically lost this information.

I wonder if that was the only copy of this data? If so, then why are they shipping it to/from wherever?

I don't think it's misleading at all. HP was responsible for the data, sending it through USPS was taking a chance with a lot of sensitive information.

Hmmm....Think anyone in the government is going to say to HP: "Why did you send it through the USPS when you *knew* it wouldn't arrive intact?" It's ridiculous to actually blame HP for mailing a package it had every right to believe would arrive intact at its destination. It was clearly the USPS that damaged the package--not HP--whose only crime seems to have been, in your estimation, that they used the Post Office. It's probably a routine followed dozens if not hundreds of times in the past with no difficulties. Nobody is going to blame HP for this.

Younger people have this odd notion (I did, too) that if things aren't perfect then they *should be* and if they aren't then it is "somebody's fault." Playing the blame game helps them preserve the illusion of perfectibility. When you age a bit you understand what a crock that is...

This, I agree with. It's the same people who pretend the 2LOT doesn't exist - no one wants accept their loss and tries shifting it to someone else.

I have had to ship some quite expensive and fragile items in my day, and have had plenty of logistics experience, as well as dealing with staff from UPS, FedEx, and USPS. From what it sounds like, the items may not have packed properly to begin with. Regardless of which organization is doing the shipping, it can be expected to be handled roughly at some point (just like check baggage in airline travel). Pack accordingly, or hand deliver...

I am willing to bet that this is the case too. Someone from HP put it in a flimsy envelope, didn't seal it properly, or what-not, and it split open and spilled its contents somewhere along the way. Obviously you can't count microfiche slides nor can you see what the data is without a magnifying glass.

I did use microfiche, if you want to learn a little bit and learn about what it is, try going to the local library and asking if they have any archives of newspapers from the turn of the century (that's 1900s, not 2000s you youngins!). Many of them have been converted to microfiche from paper.